In terms of a home network, is there any reason to set up a router firewall so that all outgoing ports are blocked, and then open specific ports for things such as HTTP, HTTPS, etc. Given that every computer on the network is trusted, surely the amount of extra security provided by blocking outgoing ports would be pretty much negligible?

Could help prevent your computer from becoming part of a botnet if your computer becomes compromised somehow.
–
hydroparadiseNov 21 '12 at 17:19

2

In my home network, I neglected to block outgoing ports. I quickly wisened up when an exploit in the mail server was used to upload a boostrap piece of malware, which was just a script that made an outgoing connection to download the rest of the malware. The attack could have been mitigated had the bootstrap piece not been able to phone home.
–
KazNov 21 '12 at 22:06

1

I'd recommend to ALSO block outgoing http, https, ssh, etc: only open what you need AT A GIVEN TIME (on critical servers). For example: A server doesn't need to be able to reach the web (or its own updates) apart from the time of the day where it is updating... So if attacked at another period, having outgoing http/https/ssh/whatever blocked will help reducing the attacker's ability to download a payload or use your network in some way.
–
Olivier DulacJun 11 '13 at 12:35

4

"Given that every computer on the network is trusted" -- This is a bad assumption.
–
u2702Jul 8 '13 at 15:33

9 Answers
9

Blocking outbound traffic is usually of benefit in limiting what an attacker can do once they've compromised a system on your network.

So for example if they've managed to get malware onto a system (via an infected e-mail or browser page), the malware might try to "call home" to a command and control system on the Internet to get additional code downloaded or to accept tasks from a control system (e.g. sending spam)

Blocking outbound traffic can help stop this from happening, so it's not so much stopping you getting infected as making it less bad when it's happened.

Could be overkill for a home network tho' as there's a lot of programs which make connections outbound and you'd need to spend a bit of time setting up all the exceptions.

Something similar happens on a windows PC's firewall. It is easier to manage. Whenever a new program that requests outbound connections to the internet is installed, an additional step must be made to allow outbound connections for the installed application (firefox, thunderbird, etc.). This is more manageable than central firewall blocking as a whole.
–
dadinckNov 21 '12 at 18:10

2

@dadinck, but if the Admin account is compromised, would it not be possible for the attacker/virus/Trojan to change the Windows Firewall settings to allow the connection to the Command&Control?
–
LexApr 20 '13 at 8:10

Coming from a security role, particularly if you've ever been involved in incident response, the idea of outbound filtering would seem a natural course in a high security environment. However, it is a very large and complex undertaking. Mention the words "egress filtering" to a firewall, network, or systems administrator and you'll likely get this response.

So while we know that high security environments may need this, and would warrant the extra work, it can sometimes be difficult to get buy-in. Particularly when a unit whose primary duty is to maintain uptime is suddenly asked to take on a potentially significant amount of extra maintenance to accomplish something that has a high probability of reducing uptime.

In this case we would be remis to not mention the compliance angle. Let's look at the PCI-DSS v2.0 for a moment. Requirements section 1 discusses systems and network security. This one is relevant here:

1.3.5

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

As much as we all like to talk about how "Compliance is a Starting Point" in the real world sometimes the only traction we can get is the goal of filling in that checkbox or passing that audit. Taking a look at compliance documents relevant to your field or service could be useful. While PCI-DSS is exclusively an industry requirement, agreed to by contract law, it is a fairly specific set of requirements that I have seen adopted as a standard to audit against in other places that have less well defined requirements.

Incoming traffic blocking can only prevent unsolicited traffic from reaching your internal network. However, if you get malware on an internal machine (via running an untrusted executable, or through an exploit) you can still be hit.

Blocking outgoing traffic helps limit the damage, by preventing the malware from connecting to a command & control server or exfiltrating data. Whilst your machine will still be compromised, it might save you from having your personal details stolen by a keylogger.

Unless you block all outgoing traffic other than a whitelist of legitimate websites you visit (and/or use a proxy that does whitelisting and security scanning), there's little additional security to be gained from blocking all ports except 80/443. Well, blocking port 25 might be good to keep your network from being used to send spam.

Many botnets already communicate over HTTP to connect to their command/control network since they know that other ports may be blocked (some even use DNS as their command/control protocol). So if you're going to let your network connect to any HTTP server, then you're not giving yourself much additional protection from joining a botnet, and you'll continually run into problems when you try to run things that use other ports like VPN, video conferencing, online gaming, websites on non-standard ports, FTP, etc. And you'd really need to regularly audit the logs to look for signs of infection.

Probably not worth the hassle on a home network. You're probably better off spending your time in trying to prevent malware infection in the first place than in mitigating damage once you've been infected.

In the event that malware makes its way into your network, blocking outgoing traffic can sometimes contain the damage by preventing the malware from contacting a remote server. If you firewall at the machine level, you may also keep the malware from spreading further through your network. Disallowing outgoing traffic also means that your machine becomes less interesting as part of a botnet.

Legitimate software with networking capabilities might be vulnerable and could be tricked into setting up outgoing connections which can then be used to further compromise your system. Consider, for example, a web server that runs an application with a flaw that allows an attacker to trick it into downloading files over the internet instead of opening local files (such a flaw is easy to produce and overlook in, for example, PHP). If you have it properly firewalled off, the request will simply fail, and maybe even trigger an alarm somewhere.

unless you're running a proxy in order to disguise your IP, which code from a website (or injected into a website) could bypass by phoning home on a different port, thus bypassing your proxy (which will normally be configured only to reroute outgoing traffic on the ports usually used by your browser).

This is so simple that anybody using Tor should be aware of it, since it punches a hole right through the mask that Tor provides.

Solution:
Route ALL ports through the proxy (Tor Does not recommend due to performance loss), or block all outgoing ports except for those specifically routed through your proxy.

This thought is driven by all the NSA and GCHQ leaks during the last months: Don't block it - redirect all packets to a trusted host of your own or someone else for further examination. That's the only way to get them caught.

A better approach for a home network is a software "personal firewall" that runs on each PC and prompts the user if they would like to allow a program that is trying to make an outbound connection to do so.

This, while annoying at first when it prompts you for everything while it tries to figure out what should be allowed, is easier to maintain in a home environment than a network firewall doing outbound blocking that has no concept of the difference between Google Chrome making a web page request and LulzBot2000 (yes, I made that up) making a web request for malware payloads.